Add SAML Group link resource

mhodgson · timofurrer · commit 04924793162d · 2022-09-05T18:28:33.000+02:00
diff --git a/internal/provider/access_level_helpers.go b/internal/provider/access_level_helpers.go
@@ -65,6 +65,14 @@ var validProjectEnvironmentStates = []string{
 	"available", "stopped",
 }
 
+var validGroupSamlLinkAccessLevelNames = []string{
+	"Guest",
+	"Reporter",
+	"Developer",
+	"Maintainer",
+	"Owner"
+}
+
 var accessLevelNameToValue = map[string]gitlab.AccessLevelValue{
 	"no one":     gitlab.NoPermissions,
 	"minimal":    gitlab.MinimalAccessPermissions,
diff --git a/internal/provider/resource_gitlab_group_saml_link.go b/internal/provider/resource_gitlab_group_saml_link.go
@@ -0,0 +1,163 @@
+package provider
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	gitlab "github.com/xanzy/go-gitlab"
+)
+
+var _ = registerResource("gitlab_group_saml_link", func() *schema.Resource {
+	return &schema.Resource{
+		Description: `The ` + "`gitlab_group_saml_link`" + ` resource allows to manage the lifecycle of an SAML integration with a group.
+
+**Upstream API**: [GitLab REST API docs](https://docs.gitlab.com/ee/api/groups.html#saml-group-links)`,
+
+		CreateContext: resourceGitlabGroupSamlLinkCreate,
+		ReadContext:   resourceGitlabGroupSamlLinkRead,
+		DeleteContext: resourceGitlabGroupSamlLinkDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: resourceGitlabGroupSamlLinkImporter,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"group_id": {
+				Description: "The id of the GitLab group.",
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+			},
+			"access_level": {
+				Description:      fmt.Sprintf("Minimum access level for members of the SAML group. Valid values are: %s", renderValueListForDocs(validGroupSamlLinkAccessLevelNames)),
+				Type:             schema.TypeString,
+				ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice(validGroupSamlLinkAccessLevelNames, false)),
+				Required:         true,
+				ForceNew:         true,
+			},
+			"saml_group_name": {
+				Description: "The name of the SAML group.",
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+			},
+			"force": {
+				Description: "If true, then delete and replace an existing SAML link if one exists.",
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				ForceNew:    true,
+			},
+		},
+	}
+})
+
+func resourceGitlabGroupSamlLinkCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*gitlab.Client)
+
+	groupId := d.Get("group_id").(string)
+	accessLevel := d.Get("access_level").(string)
+	samlGroupName := d.Get("saml_group_name").(string)
+	force := d.Get("force").(bool)
+
+	options := &gitlab.AddGroupSAMLLinkOptions{
+		AccessLevel:   &accessLevel,
+		SamlGroupName: &samlGroupName,
+	}
+
+	if force {
+		if err := resourceGitlabGroupSamlLinkDelete(ctx, d, meta); err != nil {
+			return err
+		}
+	}
+
+	log.Printf("[DEBUG] Create GitLab group SamlLink %s", d.Id())
+	SamlLink, _, err := client.Groups.AddGroupSAMLLink(groupId, options, gitlab.WithContext(ctx))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(buildTwoPartID(&groupId, &SamlLink.Name))
+
+	return resourceGitlabGroupSamlLinkRead(ctx, d, meta)
+}
+
+func resourceGitlabGroupSamlLinkRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*gitlab.Client)
+	groupId := d.Get("group_id").(string)
+
+	// Try to fetch all group links from GitLab
+	log.Printf("[DEBUG] Read GitLab group SamlLinks %s", groupId)
+	samlLinks, _, err := client.Groups.ListGroupSAMLLinks(groupId, nil, gitlab.WithContext(ctx))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	// If we got here and don't have links, assume GitLab is below version 12.8 and skip the check
+	if samlLinks != nil {
+		// Check if the LDAP link exists in the returned list of links
+		found := false
+		for _, samlLink := range samlLinks {
+			if buildTwoPartID(&groupId, &samlLink.Name) == d.Id() {
+				d.Set("group_id", groupId)
+				d.Set("access_level", samlLink.AccessLevel])
+				d.Set("saml_group_name", samlLink.Name)
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			d.SetId("")
+			return diag.Errorf("SamlLink %s does not exist.", d.Id())
+		}
+	}
+
+	return nil
+}
+
+func resourceGitlabGroupSamlLinkDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*gitlab.Client)
+	groupId := d.Get("group_id").(string)
+	samlGroupName := d.Get("saml_group_name").(string)
+
+	log.Printf("[DEBUG] Delete GitLab group SamlLink %s", d.Id())
+	_, err := client.Groups.DeleteGroupSAMLLink(groupId, samlGroupName, cn, gitlab.WithContext(ctx))
+	if err != nil {
+		switch err.(type) { // nolint // TODO: Resolve this golangci-lint issue: S1034: assigning the result of this type assertion to a variable (switch err := err.(type)) could eliminate type assertions in switch cases (gosimple)
+		case *gitlab.ErrorResponse:
+			// Ignore SAML links that don't exist
+			if strings.Contains(string(err.(*gitlab.ErrorResponse).Message), "Linked SAML group not found") { // nolint // TODO: Resolve this golangci-lint issue: S1034(related information): could eliminate this type assertion (gosimple)
+				log.Printf("[WARNING] %s", err)
+			} else {
+				return diag.FromErr(err)
+			}
+		default:
+			return diag.FromErr(err)
+		}
+	}
+
+	return nil
+}
+
+func resourceGitlabGroupSamlLinkImporter(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	parts := strings.SplitN(d.Id(), ":", 2)
+	if len(parts) != 2 {
+		return nil, fmt.Errorf("invalid saml link import id (should be <group id>:<saml group name>): %s", d.Id())
+	}
+
+	groupId, samlGroupName := parts[0], parts[1]
+	d.SetId(buildTwoPartID(&groupId, &samlGroupName))
+	d.Set("group_id", groupId)
+	d.Set("force", false)
+
+	diag := resourceGitlabGroupSamlLinkRead(ctx, d, meta)
+	if diag.HasError() {
+		return nil, fmt.Errorf("%s", diag[0].Summary)
+	}
+	return []*schema.ResourceData{d}, nil
+}
diff --git a/internal/provider/resource_gitlab_group_saml_link_test.go b/internal/provider/resource_gitlab_group_saml_link_test.go
@@ -0,0 +1,189 @@
+//go:build acceptance
+// +build acceptance
+
+package provider
+
+import (
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"github.com/xanzy/go-gitlab"
+)
+
+func TestAccGitlabGroupSamlLink_basic(t *testing.T) {
+	rInt := acctest.RandInt()
+	resourceName := "gitlab_group_saml_link.foo"
+
+	// PreCheck runs after Config so load test data here
+	var samlLink gitlab.SAMLGroupLink
+	testSamlLink := gitlab.SAMLGroupLink{
+		Name: "test_saml_group"
+	}
+
+	resource.ParallelTest(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		CheckDestroy:      testAccCheckGitlabGroupSamlLinkDestroy,
+		Steps: []resource.TestStep{
+
+			// Create a group SAML link as a developer (uses testAccGitlabGroupLdapSamlCreateConfig for Config)
+			{
+				SkipFunc: isRunningInCE,
+				Config:   testAccGitlabGroupSamlLinkCreateConfig(rInt, &testSamlLink),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabGroupSamlLinkExists(resourceName, &samlLink)),
+			},
+
+			// Import the group SAML link (re-uses testAccGitlabGroupSamlLinkCreateConfig for Config)
+			{
+				SkipFunc:          isRunningInCE,
+				ResourceName:      resourceName,
+				ImportStateIdFunc: getGitlabGroupSamlLinkImportID(resourceName),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+
+			// Update the group SAML link to change the access level (uses testAccGitlabGroupSamlLinkUpdateConfig for Config)
+			{
+				SkipFunc: isRunningInCE,
+				Config:   testAccGitlabGroupSamlLinkUpdateConfig(rInt, &testSamlLink),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGitlabGroupSamlLinkExists(resourceName, &samlLink))
+			},
+		},
+	})
+}
+
+func getGitlabGroupSamlLinkImportID(resourceName string) resource.ImportStateIdFunc {
+	return func(s *terraform.State) (string, error) {
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return "", fmt.Errorf("Not Found: %s", resourceName)
+		}
+
+		groupID := rs.Primary.Attributes["group_id"]
+		if groupID == "" {
+			return "", fmt.Errorf("No group ID is set")
+		}
+		samlGroupName := rs.Primary.Attributes["saml_group_name"]
+		if samlGroupName == "" {
+			return "", fmt.Errorf("No SAML group name is set")
+		}
+
+		return fmt.Sprintf("%s:%s", groupID, samlGroupName), nil
+	}
+}
+
+func testAccCheckGitlabGroupSamlLinkExists(resourceName string, samlLink *gitlab.SAMLGroupLink) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		// Clear the "found" SAML link before checking for existence
+		*samlLink = gitlab.SAMLGroupLink{}
+
+		resourceState, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", resourceName)
+		}
+
+		err := testAccGetGitlabGroupSamlLink(samlLink, resourceState)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+func testAccCheckGitlabGroupSamlLinkDestroy(s *terraform.State) error {
+	// Can't check for links if the group is destroyed so make sure all groups are destroyed instead
+	for _, resourceState := range s.RootModule().Resources {
+		if resourceState.Type != "gitlab_group" {
+			continue
+		}
+
+		group, _, err := testGitlabClient.Groups.GetGroup(resourceState.Primary.ID, nil)
+		if err == nil {
+			if group != nil && fmt.Sprintf("%d", group.ID) == resourceState.Primary.ID {
+				if group.MarkedForDeletionOn == nil {
+					return fmt.Errorf("Group still exists")
+				}
+			}
+		}
+		if !is404(err) {
+			return err
+		}
+		return nil
+	}
+	return nil
+}
+
+func testAccGetGitlabGroupSamlLink(samlLink *gitlab.SAMLGroupLink, resourceState *terraform.ResourceState) error {
+	groupId := resourceState.Primary.Attributes["group_id"]
+	if groupId == "" {
+		return fmt.Errorf("No group ID is set")
+	}
+
+	// Construct our desired SAML Link from the config values
+	desiredSamlLink := gitlab.SAMLGroupLink{
+		AccessLevel: resourceState.Primary.Attributes["access_level"],
+		Name:        resourceState.Primary.Attributes["saml_group_name"],
+	}
+
+	desiredSamlLinkId := buildTwoPartID(&groupId, &desiredSamlLink.Name)
+
+	// Try to fetch all group links from GitLab
+	currentSamlLinks, _, err := testGitlabClient.Groups.ListGroupSamlLinks(groupId, nil)
+	if err != nil {
+		return err
+	}
+
+	found := false
+
+	// Check if the SAML link exists in the returned list of links
+	for _, currentSamlLink := range currentSamlLinks {
+		if buildTwoPartID(&groupId, &currentSamlLink.Name) == desiredSamlLinkId {
+			found = true
+			*samlLink = *currentSamlLink
+			break
+		}
+	}
+
+	if !found {
+		return errors.New(fmt.Sprintf("SamlLink %s does not exist.", desiredSamlLinkId)) // nolint // TODO: Resolve this golangci-lint issue: S1028: should use fmt.Errorf(...) instead of errors.New(fmt.Sprintf(...)) (gosimple)
+	}
+
+	return nil
+}
+
+func testAccGitlabGroupSamlLinkCreateConfig(rInt int, testSamlLink *gitlab.SAMLGroupLink) string {
+	return fmt.Sprintf(`
+resource "gitlab_group" "foo" {
+    name = "foo%d"
+	path = "foo%d"
+	description = "Terraform acceptance test - Group SAML Links 1"
+}
+
+resource "gitlab_group_saml_link" "foo" {
+    group_id 		= "${gitlab_group.foo.id}"
+	access_level 	= "Developer"
+	saml_group_name = "%s"
+
+}`, rInt, rInt, testSamlLink.Name)
+}
+
+func testAccGitlabGroupSamlLinkUpdateConfig(rInt int, testSamlLink *gitlab.SAMLGroupLink) string {
+	return fmt.Sprintf(`
+resource "gitlab_group" "foo" {
+    name = "foo%d"
+	path = "foo%d"
+	description = "Terraform acceptance test - Group SAML Links 2"
+}
+
+resource "gitlab_group_saml_link" "foo" {
+    group_id 		= "${gitlab_group.foo.id}"
+    access_level 	= "Maintainer"
+	saml_group_name = "%s"
+}`, rInt, rInt, testSamlLink.Name)
+}
